Telcos singled out for prioritizing government requests for data over privacy

Telecommunications giants don’t seem to have any interest in shaking their legacy of complicity with government requests for user data.

The Electronic Frontier Foundation’s latest Who Has Your Back report singles out AT&T, Verizon, T-Mobile and Comcast as its lowest performers, saying that the providers’ policies prioritize government requests for user data over privacy.

The report evaluated 26 technology and telecommunications providers in five areas, including three new categories this year: public-facing policies that stand up to National Security Letter gag orders, promises not to exchange data with the government that extend outside its law enforcement guidelines, and support for reforms to Section 702 of the FISA Amendments Act of 2008.

The telecommunications giants each received only one star, designating credit in a particular category. All four were recognized for following best practices such as publishing a transparency report, having established a public policy that requires the government to obtain a warrant before the content of communication is disclosed, and having published law enforcement guides explaining how they respond to government requests for data.

Requests for comment from Verizon, AT&T, Comcast and T-Mobile were not returned in time for publication. Smaller mobile providers such as Credo and Sonic were at the opposite end of the spectrum, earning stars in all five categories; nine companies earned five stars, including Adobe, Dropbox, Lyft, Pinterest, Uber, Wickr and WordPress. None of the telcos, for example, have public-facing policies that expressly say they won’t share data that could be used for surveillance, while others continue to refuse to inform users about government data requests.

“The telcos grew up in an era of government monopolies; many descend from AT&T or other sanctioned monopolies. They make their business selling data to the government,” said EFF staff attorney Nate Cardozo. “Silicon Valley has libertarian tendencies; it always has. Those companies were founded by folks from academia or even high-school dropouts in some cases. The people who founded Google and Facebook don’t trust the government in the way AT&T does.”

The report’s criteria change annually to reflect trends and incremental changes to the law; the 702 category, for example, comes as Congress prepares to debate whether to reform and/or re-authorize the NSA’s surveillance capabilities.

Cardozo said one area where Silicon Valley giants such as Google, Facebook, Microsoft and Twitter need to step up is in standing up to NSL gag orders. This would require companies to invoke the reciprocal notice procedure, kicking off a process by which the course would review non-disclosure orders accompanying NSLs.

This has been a bone of contention since the Snowden disclosures when companies began publishing transparency reports in order to demonstrate their compliance with the government requests. Some companies have won the right in court to disclose the contents of older NSLs, but most still are limited by law in how much information they can disclose on the number of NSLs received.

Cardozo said that once the categories for this year’s report were finalized in February and the EFF began its outreach to participants, it began to see real movement in some of these categories. “That’s the entire point of the report,” Cardozo said. “We reached out to companies in February starting negotiations to get them to change. No one, for example, had invoked the reciprocal notice provision. That column would have been empty in January. The NSL column would have been empty in January.”

While the EFF said it does hold its report to give more companies the opportunity to move on some of these initiatives, they don’t hold their breath with respect to the telcos. “They say, ‘OK, thanks. We look forward to the report where we get one star,'” Cardozo said.

Technology companies such as Amazon and WhatsApp are not exempt from scrutiny. Amazon, for example, earned two stars (following industry best practices and 702 reform), but it could be compliant in other areas but has not published public-facing policies indicating so. The same goes for WhatsApp, which earned two stars in the same category as Amazon.

“Amazon is a very secretive company. They may be doing all these things, we just don’t know it,” Cardozo said. “We can only give credit when there’s a public-facing policy and Amazon does not have many. Same with WhatsApp. They’ve done many good things like bringing end-to-end encryption to one billion users. If I had to guess, I would say they’re doing well. But I can’t guess. I have to evaluate something.”